Re: Moving forward on improving HTTP's security from Mark Nottingham on 2013-11-14 (ietf-http-wg@w3.org from October to December 2013)

From: Mark Nottingham <mnot@mnot.net>
Date: Thu, 14 Nov 2013 09:34:07 +0800
To: Eliot Lear <lear@cisco.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <DA222D56-F23D-4C69-88DB-940748A12C51@mnot.net>
Hi Eliot,

On 14 Nov 2013, at 7:59 am, Eliot Lear <lear@cisco.com> wrote:

> Hi Mark,
> 
> Your proposal seems to logically follow from the exchange we had in the
> plenary, that in essence this group should place a bet that the benefits
> of HTTP2 would propel adoption of TLS.  Seems to me that is a good
> research question where the answer would be a model of the sorts of
> behaviors we can reasonably expect.

Yes, as much as any such model can be accurate. The second-order and following effects are the hard part.

> In the longer term, might we reasonably expect interoperability problems
> due to incompatible national cryptographic standard mandates?  That is:
> if the U.S. requires one form of encryption for a transaction and Russia
> requires another, and there is no means to meet in the middle, there
> will be no communication.  I don't know if this one can be mitigated,
> but it should probably be studied.  Maybe the right thing is to not have
> these systems communicate.  That would bound our all encompassing view
> of interoperability, but maybe that's a good thing.  Balkanization,
> however, is not.  Not all of these problems are this working group's, of
> course.  Some cross over to layer 9.

Yep, this has come up a few times. Stephen is still working on characterising the outcome of the PERPASS BoF, AIUI, but there was discussion there of profiling / recommending best practice for TLS, and this would fall into that discussion. Don’t know where that’ll happen yet.

> Third, there are some who are doing object-level encryption and may not
> desire transport encryption.
> 
> The WG might or might not not care about the answers to these
> questions.  That is, perhaps HTTP2 is targeted to a specific
> application, and we should allow for that.  But if that's the case, we
> should perhaps say that.

Personally, I’m very interested in these approaches, and may be experimenting with them to see where it gets us. Whether that’s an alternate to the current approach or the spiritual successor to shttp:// URIs is anybody’s guess at the moment. Hopefully running code will help illuminate that discussion.

> Please don't take these questions as opposition to what you propose. 
> Rather I am trying to understand the tradeoffs.

Not at all; we all are. The point I want to re-emphasise to everyone is that the intent is to build on that approach, as well as constantly evaluate it. 

Cheers,

> 
> Eliot
> 
> On 11/13/13 2:01 AM, Mark Nottingham wrote:
>> In Vancouver, we continued the discussion that we started in Berlin regarding the use of encryption in HTTP/2.
>> 
>> There seems to be strong consensus to increase the use of encryption on the Web, but there is less agreement about how to go about this.
>> 
>> The most relevant proposals were:
>> 
>> A. Opportunistic encryption for http:// URIs without server authentication -- a.k.a. "TLS Relaxed" as per draft-nottingham-http2-encryption.
>> 
>> B. Opportunistic encryption for http:// URIs with server authentication -- the same mechanism, but not "relaxed", along with some form of downgrade protection.
>> 
>> C. HTTP/2 to only be used with https:// URIs on the "open" Internet. http:// URIs would continue to use HTTP/1 (and of course it would
>> still be possible for older HTTP/1 clients to still interoperate with https:// URIs).
>> 
>> In subsequent discussion, there seems to be agreement that (C) is preferable to (B), since it is more straightforward; no new mechanism needs to be specified, and HSTS can be used for downgrade protection.
>> 
>> (C) also has this advantage over (A), and furthermore provides stronger protection against active attacks.
>> 
>> The strongest objections against (A) seemed to be about creating confusion about security and discouraging use of "full" TLS, whereas those against (C) were about limiting deployment of better security.
>> 
>> Keen observers have noted that we can deploy (C) and judge adoption of the new protocol, later adding (A) if neccessary. The reverse is not necessarily true.
>> 
>> Furthermore, in discussions with browser vendors (who have been among those most strongly advocating more use of encryption), there seems to be good support for (C), whereas there's still a fair amount of doubt/disagreement regarding (A).
>> 
>> As a result, I believe the best way that we can meet the goal of increasing use of TLS on the Web is to encourage its use by only using HTTP/2.0 with https:// URIs.
>> 
>> This can be effected without any changes to our current document; browser vendors are not required to implement HTTP/2.0 for http:// URIs today. However, we will discuss formalising this with suitable requirements to encourage interoperability; suggestions for text are welcome.
>> 
>> To be clear - we will still define how to use HTTP/2.0 with http:// URIs, because in some use cases, an implementer may make an informed choice to use the protocol without encryption. However, for the common case -- browsing the open Web -- you'll need to use https:// URIs and if you want to use the newest version of HTTP.
>> 
>> This is by no means the end of our security-related work. For example:
>> 
>> * Alternate approaches to proxy caching (such as peer-to-peer caching protocols) may be proposed here or elsewhere, since traditional proxy caching use cases will no longer be met when TLS is in wider use.
>> 
>> * As discussed in the perpass BoF, strengthening how we use TLS (e.g., for Perfect Forward Security) is on the table.
>> 
>> * A number of people expressed interest in refining and/or extending how proxies work in HTTP (both 1.0 and 2.0), as discussed in draft-nottingham-http-proxy-problem (among many other relevant drafts).
>> 
>> Furthermore, other security-related work in the IETF (see the perpass BoF) and elswhere (e.g., W3C) may affect HTTP. For example, a number of people have pointed out how weaknesses in PKIX affect the Web.
>> 
>> Your input, as always, is appreciated. I believe this approach is as close to consensus as we're going to get on this contentious subject right now. As HTTP/2 is deployed, we will evaluate adoption of the protocol and might revisit this decision if we identify ways to further improve security.
>> 
>> 
>> 
>> 
> 
> 

--
Mark Nottingham   http://www.mnot.net/
Received on Thursday, 14 November 2013 01:34:38 UTC